NTP BUG 3565: Crafted null dereference attack from a trusted source with an authenticated mode 6 packet
Last update: February 15, 2022 15:25 UTC (b158e7036)
A crafted malicious authenticated mode 6 (
ntpq) packet from a permitted network address can trigger a NULL pointer dereference, crashing
ntpd. Note that for this attack to work, the sending system must be on an address that the target’s
ntpd accepts mode 6 packets from, and must use a private key that is specifically listed as being used for mode 6 authorization.
restrict noquery to limit addresses that can send mode 6 queries.
- Limit access to the private controlkey in
- Upgrade to 4.2.8p13 or later.
Reported by Magnus Stubman.